If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

The published Snort signatures are usually quite accurate but you need to understand that they are tested as well as they can be and fine tuned as needed but there is no way they can fit _every_ single network out there. That's why the rule writing language is so accessible and relatively simple so that you can fine tune them yourself to better fit your network. If there are a lot of FP's on your network for a certain rule you need to determine whether you even need the rule or not. If you need the rule because there is a potential threat to your network within it then you can look at the rule and fine tune it yourself to better fit your network. If you don't need the rule then comment it out... The more you comment out because they pose no threat the more efficient the detection engine will be.

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Generally you will find that only certain machines will cause a significant number of false positives so you can often negate the IP address or range. If you can't negate it within the rule itself you can create a "Pass" rule for the offending IP(s). However, you need to be _very_ careful how you use "Pass" rules because you can drop traffic that you might want.

In order to make a "pass" rule do the following. Let's say the rule causing the false positives is:-

Obviously this rule is going to catch you surfing your pr0n which we don't want... (Let's assume that you have very disciplined users and they never try to break policy so your box is the only one causing the FP's &lt;LOL&gt;)

Copy and paste the rule and change "alert" to "pass", change "$HOME_NET" to your box's IP address and alter the comment so you know why you are "passing" this traffic. It should now look like this:-

Even though the rule is in place it won't "pass" your traffic until the mechanism Snort uses for rules processing is altered to accept the "Pass" rule. Stop Snort and add "-o", (without the quotes), to the command line and restart Snort. This allows Snort to first check traffic using the "Pass" rule first and then move on to the "Alert" rules and it will stop reporting your pr0n surfing making you look like that fine, upstanding young man you clearly are... &lt;VBG&gt;

Obviously you want to write "Pass" rules that are as _specific_ as possible. The more detail you can force it to match yet still not cause FP's on the "alert" rule the better. The broader you leave the "match pattern" the more likely you are to make a mistake and "pass" traffic that you really needed to see...

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

*Any* signature based solution will generate false positives, period. No matter what vendors tell you, or open source developers, there is no way to weed out 100% of the false positives that are flagged.

That said, you've already gotten the best advice out there for signature based solutions. Tune, tune, tune. This is the only way to get the rate down to an acceptable level. One thing that I'd like to add is that tuning is a never ending process. There is no, "set it and forget it".

--Th13

Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

EDIT: Would also like to add that you should be extremely careful with supression, thresholds, and pass rules...poorly written or conceived changes may utterly nerf the ability of snort to be useful as an IDS (for example, if you were to implement TigerShark's example, you'll miss ALL alerts/alarms for _ANY_ outbound HTTP connection from your PC to an external network...So while messing around with these, make sure they are exceptionally specific...

There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

Oh yes there is... We have one... It cooks a great leg of lamb!!!! Here

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides